pkgsrc-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: About a rc.d script and "--user ${puser}"

OK, here are full description and how to repeat section:

Privoxy seems to run as root:wheel instead of privoxy:privoxy and may allow everbody to edit all chmod=X6X chown=root:wheel files through its administration interface - depending on privoxy configuration.

How to repeat:
1- #cd /usr/pkgsrc/www/privoxy & make install
2- #cd /usr/pkg/etc/privoxy & chown root:wheel * & chmod 661 *
3- #vi /usr/pkg/etc/privoxy/config
< enable-edit-actions 1
> enable-edit-actions 0
4- #cp /usr/pkg/share/examples/rc.d/privoxy /etc/rc.d/privoxy
5- #/etc/rc.d/privoxy onestart
6- Now, please open up a browser, adjust its settings so that it uses 8118 port as proxy. Type 'p.p'. This will show your local privoxy administration page and go through 'View & change the current configuration' and clcik EDIT button.
7- Notice that all rules are editable - really.

Extra information:
localhost# /etc/rc.d/privoxy onestart
Starting privoxy.

localhost# id privoxy
uid=1004(privoxy) gid=1002(privoxy) groups=1002(privoxy)

localhost# ps ax -o uid,gid,command|grep privoxy
1004 1002 /usr/pkg/sbin/privoxy --pidfile /var/run/ --user privoxy /usr/pkg/etc/privoxy/config
  0     0 grep privoxy

localhost# ls -al /usr/pkg/etc/privoxy
total 156
drwxr-xr-x   2 root  wheel    512 Feb  3 02:12 .
drwxr-xr-x  24 root  wheel   1024 Feb  3 01:40 ..
-rw-rw-r--   1 root  wheel  40653 Feb  3 02:13 config
-rw-rw-r--   1 root  wheel  45145 Feb  3 02:15 default.action
-rw-rw-r--   1 root  wheel  52569 Feb  3 02:12 default.filter
-rw-rw-r--   1 root  wheel   2715 Feb  3 02:12 standard.action
lrwxr-xr-x 1 root wheel 41 Feb 3 02:12 templates -> /usr/pkg/share/examples/privoxy/templates
-rw-rw-r--   1 root  wheel   3761 Feb  3 02:12 trust
-rw-rw-r--   1 root  wheel   5375 Feb  3 02:14 user.action


Matthias Scheler, 02/03/09 10:12:
On Tue, Feb 03, 2009 at 01:29:24AM +0200, Cem Kayali wrote:
I have used the patch, and checked rc.d script before testing, re-tested again. Result is same.

This issue is quite strange. *Forgive me if i'm doing someting wrong* but this looks like a security problem because any user having access to privoxy administration page with "edit-actions-enable" enabled in privoxy configuration, has potential wirte access to all root:wheel files having chmod X6X permissions especially to /usr/pkg/etc/privoxy/* ones - tested.

I'm sorry but you e-mail was filtered out by the NetBSD mailing list
software ...

A screenshot attached.

... because of it excessive size.

Could you please upload the screenshot somewhere and re-send your
e-mail with a URL instead of an attached image?

        Thanks in advance

Home | Main Index | Thread Index | Old Index